Feature enable otp

[benjaminwols]

This PR adds an enable option, which lets the user enable and disable tfa.

If the need_two_factor_authentication? method returns true and otp is not enabled, the user is redirected to the :new view, where an QR code is shown if using an app and there is a link to ask for a direct otp code.

If the user confirms his code, otp is enabled and the user is asked next time for a otp code.

You can add a link to 'edit_user_two_factor_authentication_path' to let the user disable tfa.

I would love to get your feedback.

[chrise86]

Is it wise to be submitting the totp_secret in the form? I faced a similar situation recently and opted to:

• generate the code and update the user first
• display the QR code
• when they confirm by entering the authenticator code, mark them as otp_enabled.

If they don't confirm there and then, I regenerate the code next time and ask them to confirm using the new code.

[benjaminwols]

Good point.
I will take a look at this later this week.

[Xosmond]

The problem with generating the code and update the user first, is that when the user does not confirm by entering the authenticator code we will update the user again and again.

Sending the topt_secret in the form is fine because we are showing it on the qrcode (is the same thing).

PD: Maybe if somebody sees or changes the topt_secret via javascript would be a risk. I do not know.

PD2: I did a similar way of this PR by hand on my project (I think everybody will need to write this).

[benjaminwols]

@Houdini Do you have any thoughts on this matter?
I think it provides a solution to Issue #32.